Re: [keycloak-user] Advanced authorization
Hi Melissa,
I don't think this is very different than what we have in the quickstart
you mentioned.
On Wed, Oct 24, 2018 at 9:00 AM Melissa Palmer <melissa.palmer(a)gmail.com>
wrote:
Hi,
I am trying to do something similar to the following:
- have a resource (say album) in app-authz-uma-photoz quickstart that
includes a status attribute against it.
- status such as: CREATED, APPROVED, DECLINED,
You probably noticed that resources in Keycloak have attributes, so you
could set a "status" accordingly. You should be able to write JS policies
that can access any attribute associated with a resource.
- a person can then be given a role that allows for permissions (via
a
role) such as
- album:create
- album:approve
- album:decline
If you have different authorization requirements for each scope, you can
create a scope-based permission for each scope. Otherwise, a single
scope-permission managing access for all of them.
- BUT a person is not allowed to approve any albums they created themselves
I would create a scope-permission specific for album:approve and associate
it with a JS policy that deny access to the the resource owner (considering
the owner is the person that created the resource).
Is there a keycloak-quickstarts/example I can start from?
Or a recommended way I should attempt to tackle this?
It is worthy to highlight that when using UMA and, specially, the "My
Resources" page in the Account Service, resource owners are always allowed
to manage their resources. It seems you are more interested in a worflow
that does not really fit this functionality in particular. I think you
would need to manage this workflow from your app based on the permissions
you have in Keycloak.
Thank You in advance,
Melissa
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user